After reading this chapter, you will be able to:
- Identify the types of internal controls and their importance to the business as a whole.
- Evaluate the control activities within a company and determine the deficiencies from a fraud prevention perspective.
- Discuss the key components of an effective comprehensive fraud prevention program.
The impact of fraud hits a company straight in the bottom line. While large corporations may be able to withstand a six- or seven-figure fraud, a smaller corporation or a nonprofit organization may never recover. To survive in today’s competitive marketplace, businesses must be proactive in the fight against fraud.
Internal controls related to fraud fall into one of three categories:
- Preventive controls. These are focused on protecting the company’s assets and information by stopping fraud from occurring.
- Detective controls. These are aimed at finding fraud when it occurs, hopefully as soon as possible.
- Corrective controls. These attempt to remedy problems that are discovered, so that future frauds can be better prevented and detected.
The Sarbanes-Oxley Act of 2002 (SOX) generally applies to U.S. public companies and their auditors, but numerous multinational public companies and private companies are complying with the regulations voluntarily. SOX generally requires:
- Management to assess the effectiveness of the company’s internal control structure over financial reporting. Are the controls effective at ensuring that the financial statements will be presented accurately?
- An auditor’s report on management’s assessment. Do the auditors believe that management’s assessment of the internal controls is accurate?
- New auditing standards and rules for auditing firms with public clients. Auditors of public companies are limited in the other services that they may provide to their clients, in order to ensure their independence.
Other broad requirements of SOX include whistleblower provisions, under which companies must establish a confidential, anonymous reporting mechanism for employees. This is most often accomplished with an anonymous hotline; this can be set up through a vendor, which guarantees anonymity for callers. The company must also disclose whether a Code of Ethics has been established for executives and make it available to the public. SOX defines conflicts of interest and prohibits certain actions, such as personal loans to executive officers or directors.
SOX does not specify a particular set of internal controls that must be in place in companies. There are certain elements of internal controls that are required, such as the whistleblower provisions and management’s evaluation of the internal controls, but the regulation does not specify a large set of controls that must be put into place.
Understanding what SOX does not require of companies may be even more important than knowing what is required. Many individuals and investors do not understand that SOX actually requires very little in the way of substantive improvement to the internal controls of a company. As long as management is willing to admit publicly that its controls are not good, the company is not forced to improve the internal controls.
Control Activities within a Company:
The policies and procedures of a company fall into a number of categories, with the most common including:
- Safeguards over assets – securing physical assets, access to data, and money
- Segregation of duties – dividing activities so one employee doesn’t have too much control over an area or duty
- Proper authorization of transactions – ensuring that employees aren’t exceeding their authority
- Independent checks on performance – using audits, surprise check-ups, inventory counts, or other procedures to verify compliance with policies and procedures, as well as accuracy
- Anonymous reporting mechanism – employee fraud hotline
- Monitoring activities – monitoring access to assets, data, and the accounting system
- Management can and should monitor access to
Comprehensive Fraud Prevention Program Components:
- Fraud education: Teaching employees about fraud risks
- Fraud investigation: Investigating instances of suspected fraud
- Fraud prevention: Evaluating, designing, and implementing controls that proactively prevent fraud